Skip to content

COP Cloud Governance Policy

Jump to bottom
John Bain edited this page Feb 20, 2023 · 2 revisions

Public Health Data Center of Practice (PDCP) Cloud Governance Policy

The Public Health Data Center of Practice (PDCP) recognizes the value of cloud computing as an enabler of innovation and the importance of using cloud services in a responsible and secure manner. This policy provides a framework for the appropriate use of cloud services in support of PDCP activities, while ensuring that the confidentiality, integrity, and availability of PDCP data and information are maintained.

Policy Statement

This policy is intended to guide the use of cloud services by the PDCP. It applies to all PDCP staff and external partners who use or access cloud services for PDCP-related activities.

The PDCP cloud governance policy is:

  • Easy to understand: This policy is written in clear and concise language to ensure that all users can understand and comply with its requirements.

  • Compliant with Government of Canada cloud policies: This policy aligns with the Government of Canada's cloud policies, including the Cloud Adoption Strategy, the Directive on Service and Digital, the Secure Cloud Enablement Guide, and the IT Security Risk Management Framework.

  • Flexible and iterative: This policy recognizes that cloud services and associated risks are continually evolving, and the PDCP will iteratively develop governance structures and controls as needed.

Policy Requirements

The following requirements must be met to ensure the appropriate use of cloud services by the PDCP:

  • Use of Authorized Cloud Services: All PDCP staff and external partners must use only authorized cloud services approved by the PDCP. The PDCP will maintain a list of approved cloud services and regularly review and update it as needed.

  • Data Classification and Management: PDCP staff and external partners must classify data and information that will be stored, processed, or transmitted via cloud services, in accordance with the PDCP Data Classification Policy. They must ensure that data is managed securely, and access controls are applied as per the PDCP Access Control Policy.

  • Security and Privacy: PDCP staff and external partners must ensure that cloud services used to store, process, or transmit PDCP data and information meet the security and privacy requirements outlined in the PDCP IT Security Policy and the PDCP Privacy Policy.

  • Risk Management: PDCP staff and external partners must conduct and document risk assessments for cloud services used to store, process, or transmit PDCP data and information, in accordance with the PDCP IT Security Risk Management Framework.

  • Monitoring and Incident Response: PDCP staff and external partners must monitor cloud services used to store, process, or transmit PDCP data and information to detect and respond to security incidents and potential threats, as per the PDCP IT Security Incident Management Policy.

Enforcement and Compliance

The PDCP encourages compliance with this policy and will work with users to improve compliance as needed. While the PDCP cannot force users to comply with the policy, the PDCP will monitor compliance and take appropriate corrective actions if necessary.

Non-compliance with this policy may result in the revocation of cloud service access privileges or termination of partnerships. In addition, users who violate this policy may be subject to disciplinary action, up to and including termination of employment or partnership.

🚧🚧🚧🚧🚧🚧🚧🚧🚧🚧🚧🚧🚧🚧🚧🚧🚧🚧🚧🚧🚧🚧🚧🚧

Under Development

  • This wiki and the documents being developed under it are living documents.
  • They are all pre-decisional.
  • Some of these documents were generated using chatGPT or were developed by other organizations for reuse and adaptation.
  • Some of the documents in this wiki are in early early drafts, they make reference to things that do no exist or to process not yet being used.
  • The Center of practice(COP) is best effort and will be developed iteratively. This includes the technology supporting the COP
  • At the early stages of the COP expect change; short life cycles and rapid changes. Plan accordingly.
  • Stability in the COP will materialize over time.
  • For immediate reference engage your COP support channel, use the documentation as a secondary source.
  • There is reference to the COP and PDCP in the documentation, these are the same entity. We haven't picked a name yet :)

All of the pages in this wiki should be considered draft, underdevelopment and needing review. None of these pages are official documentation. All of the pages are a work in progress and discussion is encouraged via the GitHub issues mechanism.

🚧🚧🚧🚧🚧🚧🚧🚧🚧🚧🚧🚧🚧🚧🚧🚧🚧🚧🚧🚧🚧🚧🚧🚧

Clone this wiki locally